RELEASE-NOTES-1.28

   1 == MediaWiki 1.28 ==
   2
   3 THIS IS NOT A RELEASE YET
   4
   5 MediaWiki 1.28 is an alpha-quality branch and is not recommended for use in
   6 production.
   7
   8 === Configuration changes in 1.28 ===
   9 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
  10   made by MediaWiki via a proxy. Relying on the http_proxy environment
  11   variable is no longer supported.
  12 * The load.php entry point now enforces the existing policy of not allowing
  13   access to session data, which includes the session user and the session
  14   user's language. If such access is attempted, an exception will be thrown.
  15 * The number of internal PBKDF2 iterations used to derive the session secret
  16   is configurable via $wgSessionPbkdf2Iterations.
  17 * Upload dialog's file upload log comment can now be configured separately for
  18   local and foreign uploads.
  19 * $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
  20   signifies local uploads. A value of `[]` (empty array) now means that
  21   no upload targets are allowed, effectively disabling the upload dialog.
  22 * The deprecated $wgEditEncoding variable has been removed; it was only used
  23   for Esperanto language character conversion. You are now recommended to use
  24   input methods provided by the UniversalLanguageSelector extension.
  25 * When $wgPingback is true, MediaWiki will periodically ping
  26   https://www.mediawiki.org/beacon with basic information about the local
  27   MediaWiki installation. This data includes, for example, the type of system,
  28   PHP version, and chosen database backend. This behavior is off by default.
  29 * When $EditSubmitButtonLabelPublish is true, MediaWiki will label the button
  30   to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
  31   if false, the default, they will be "Save page"/"Save changes".
  32
  33 === New features in 1.28 ===
  34 * User::isBot() method for checking if an account is a bot role account.
  35 * Added a new 'slideshow' mode for galleries.
  36 * Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
  37 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
  38   interact with API parsing.
  39 * Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
  40   upload. Unlike 'UploadVerifyFile' it provides information about upload comment
  41   and the file description page, but does not run for uploads to stash.
  42 * (T141604) Extensions can now provide a better error message when their
  43   maintenance scripts are run without the extension being installed.
  44 * (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation
  45   to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you can't use UCA collations,
  46   a 'numeric' collation is also available. If migrating from another
  47   collation, you will need to run the updateCollation.php maintenance script.
  48 * Two new codes have been added to #time parser function: "xit" for days in current
  49   month, and "xiz" for days passed in the year, both in Iranian calendar.
  50 * mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
  51   appropriate for sending multi-valued parameters. This defaults to true when
  52   the mw.Api instance seems to be for the local wiki.
  53
  54 === External library changes in 1.28 ===
  55
  56 ==== Upgraded external libraries ====
  57 * Updated es5-shim from v4.1.5 to v4.5.8
  58
  59 ==== New external libraries ====
  60
  61 ==== Removed and replaced external libraries ====
  62
  63 === Bug fixes in 1.28 ===
  64 * (T137264) SECURITY: XSS in unclosed internal links
  65 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
  66 * (T133147) SECURITY: Require login to preview user CSS pages
  67 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
  68   the top file
  69 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
  70   permissions
  71 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
  72 * (T139670) Move 'UserGetRights' call before application of
  73   Session::getAllowedUserRights()
  74
  75 === Action API changes in 1.28 ===
  76 * Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
  77   the value of $wgMaxArticleSize.
  78 * Property 'modulemessages' from action=parse&prop=modules was removed
  79   (deprecated since 1.26).
  80 * The following response properties from action=login, deprecated in 1.27, are
  81   now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
  82   to properly manage session state.
  83 * Submitting the lgtoken and lgpassword parameters in the query string to
  84   action=login is now deprecated and outputs a warning. They should be submitted
  85   in the POST body instead.
  86 * Submitting sensitive authentication request parameters to action=clientlogin,
  87   action=createaccount, action=linkaccount, and action=changeauthenticationdata
  88   in the query string is now deprecated and outputs a warning. They should be
  89   submitted in the POST body instead.
  90 * (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator)
  91   instead of the pipe character. This will be useful if some of the multiple
  92   values need to contain pipes, e.g. for action=options.
  93 * The API will now warn if input is not NFC-normalized Unicode or if it
  94   contains invalid characters.
  95 * The 'normalized' list output by action=query and other modules that use
  96   ApiPageSet may contain entries where the 'from' value is percent-encoded as
  97   the raw value cannot be represented in a valid API response. These are
  98   indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
  99
 100 === Action API internal changes in 1.28 ===
 101 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
 102   interact with ApiParse and ApiExpandTemplates.
 103 * (T139565) SECURITY: API: Generate head items in the context of the given title
 104 * (T115333) SECURITY: Check read permission when loading page content in ApiParse
 105
 106 === Languages updated in 1.28 ===
 107
 108 MediaWiki supports over 350 languages. Many localisations are updated
 109 regularly. Below only new and removed languages are listed, as well as
 110 changes to languages because of Phabricator reports.
 111
 112 * (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru,
 113   BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
 114 * (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
 115   Saiddzone Saimawnkham, Saosukham, and Sengwan.
 116 * Czech (cs) and Slovak (sk) set as reciprocal fallbacks
 117
 118 === Other changes in 1.28 ===
 119 * (T128697) Improved handling of large diffs.
 120 * [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
 121   use or update a custom session provider if needed.
 122 * Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
 123 * The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
 124 * SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
 125 * The 'UserLoginComplete' hook has a new parameter to differentiate between actual
 126   login and visiting the login page while already logged in.
 127 * ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
 128 * $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
 129 * Linker::link() and Linker::linkKnown() were deprecated; please instead use
 130   MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
 131   were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
 132   respectively. See docs/hooks.txt for the specific changes needed for those hooks.
 133 * Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
 134   * Skin::commentBlock() (use Linker::commentBlock() instead)
 135   * Skin::generateRollback() (use Linker::generateRollback() instead)
 136   * Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
 137   * Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
 138   * Skin::userLink() (use Linker::userLink() instead)
 139   * Skin::userToolLinks() (use Linker::userToolLinks() instead)
 140 * The 'ParserLimitReportFormat' hook was removed.
 141 * Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
 142   disabled.
 143 * DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
 144 * UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
 145   Use ...->stashFile()->getFileKey() instead.
 146 * "Public domain" was removed as a wiki license option from the installer, in
 147   favour of CC-0.
 148 * AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
 149   on requests needed by primary providers even if all primaries need them.
 150   Primary providers are discouraged from returning multiple REQUIRED requests.
 151 * OOjs UI PHP widgets constructed with the `'infusable' => true` config option
 152   will no longer be automatically infused. You should call `OO.ui.infuse()`
 153   on them yourself from your JavaScript code.
 154
 155 == Compatibility ==
 156
 157 MediaWiki 1.28 requires PHP 5.5.9 or later. There is experimental support for
 158 HHVM 3.6.5 or later.
 159
 160 MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
 161 support for them is somewhat less mature. There is experimental support for
 162 Oracle and Microsoft SQL Server.
 163
 164 The supported versions are:
 165
 166 * MySQL 5.0.3 or later
 167 * PostgreSQL 8.3 or later
 168 * SQLite 3.3.7 or later
 169 * Oracle 9.0.1 or later
 170 * Microsoft SQL Server 2005 (9.00.1399)
 171
 172 == Upgrading ==
 173
 174 1.28 has several database changes since 1.27, and will not work without schema
 175 updates. Note that due to changes to some very large tables like the revision
 176 table, the schema update may take quite long (minutes on a medium sized site,
 177 many hours on a large site).
 178
 179 If upgrading from before 1.11, and you are using a wiki as a commons
 180 repository, make sure that it is updated as well. Otherwise, errors may arise
 181 due to database schema changes.
 182
 183 If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
 184 new database fields are filled with data.
 185
 186 If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
 187 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
 188 with MediaWiki 1.21.
 189
 190 Don't forget to always back up your database before upgrading!
 191
 192 See the file UPGRADE for more detailed upgrade instructions.
 193
 194 For notes on 1.27.x and older releases, see HISTORY.
 195
 196 == Online documentation ==
 197
 198 Documentation for both end-users and site administrators is available on
 199 MediaWiki.org, and is covered under the GNU Free Documentation License (except
 200 for pages that explicitly state that their contents are in the public domain):
 201
 202        https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
 203
 204 == Mailing list ==
 205
 206 A mailing list is available for MediaWiki user support and discussion:
 207
 208        https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
 209
 210 A low-traffic announcements-only list is also available:
 211
 212        https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
 213
 214 It's highly recommended that you sign up for one of these lists if you're
 215 going to run a public MediaWiki, so you can be notified of security fixes.
 216
 217 == IRC help ==
 218
 219 There's usually someone online in #mediawiki on irc.freenode.net.